You must log in or # to comment.
So the exploit redirected update traffic. Does that mean anyone who ran updates in that time period could have downloaded a compromised version and their machine would be infected?
Why isn’t that covered in the post?
Yes, that’s what it means.
And apparently, it happened selectively, not generally, but for specific people/request sources.
It would only be if you use the Notepad++'s own update mechanism. If you used other package managers or went and downloaded the installer to update you’d be fine.
First thing I do every time I (manually) update notepad++ is turn off automatic updates. Automatic updates are the root of all evil
But what about all the new and exciting features?! What if they come out with more letters, then who will be laughing? Likely still you but hey automagic programs are standard right?
Worth noting this is not a new vulnerability, it’s an analysis of a vulnerability disclosed in December:
Following the security disclosure published in the v8.8.9 announcement
https://notepad-plus-plus.org/news/v889-released/
the investigation has continued in collaboration with external experts and with the full involvement of my (now former) shared hosting provider.According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occured at the hosting provider level rather than through vulnerabilities in Notepad++ code itself.
Notepad++ Hijacked by State-Sponsored Hackers
Links to notepad-plus-plus.orgYea idk enough about to computers to know if I should click that or not…
shoutout to evilsocket! nothing like this ever gets access with opensnitch
Didn’t Steve Gibson talk about this awhile ago?
How many times has this happened to Notepad++ now?
Once
Note on timelines: The security exper’s analysis indicates the attack ceased on November 10, 2025, while the hosting provider’s statement shows potential attacker access until December 2, 2025. Based on both assessment, I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.
I’m only aware of the one (somewhat extended) time described in the article. The dev(s?) has been upfront about what happened and provided updates as they learned more information, hence multiple headlines on the subject.
With these changes and reinforcements, I believe the situation has been fully resolved. Fingers crossed.
The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.
I do kind of wonder about the emacs package management infrastructure system. Like, if attacking things that text editors use online is an actively-used vector.
Text editors with plugin support as potential vectors of malware is a pretty well known problem. It’s why at the very least organisations should be auditing the plugins used and actively monitoring them.
Well now I’m nervous! My first instinct though is that the vast majority of Emacs packages are plain elisp, and Emacs users have a habit of cracking open and tinkering with their packages, so any malicious code ought to be spotted quickly.
With the native compiled modules however, it could be another story…
It bothers me that there are so many typos in this post. Doesn’t N++ have spellcheck?
Maybe that was in an update.
Funny. (Offered since 2015, last update was in 2023)
Yeah, not like we are reading about how “According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.”
But maybe the endless need for autoupdates on everything (in this case N++) will be the end of secure software. Ironic.
Wait, are you saying that the attacks in 2025 possibly disabled the devs spellcheck?
Ha! Unlikely, but having a notepad program have automatic updates by default is just about dumb enough that I could see it.
For sure
It does have ninjas though.
I remember a day when hackers used to be sponsored privately. /s
It used to be that being a ML (Malicious Linguist) in someones garage was the rage, now we got “Hackers with Chinese characteristics” smh
know this one was not their fault but i haven’t trusted np++ since the charlie hebdo stunt that made it look like the app was a virus.
I think their support of charlie hebdo was different from them getting attacked for it. it’s hard to tell if you’re blaming them for naming a version in solidarity or getting hacked afterwards.
the version would pop a new window and auto type. that, when i saw it, smelled just like an attack. so i uninstalled and yeah it wasnt an attack but certainly was a stupid effect.
